Vital Sounds 2025, Quarter 3
Vital Sounds 2025, Quarter 3
Don’t Let Old Charts Linger: Three Benefits to Purging Outdated Records
August 7, 2025
Don’t Let Old Charts Linger: Three Benefits to Purging Outdated Records
August 7, 2025
By Yolanda Sims, JD, MHA
Can you recall the last time your practice performed a review and routine purge of outdated medical records? In Kansas, physicians are required to maintain patient records for a period of ten years from the last date of service.[1] If the patient is a minor, the records should be kept either ten years from the date of service or one year beyond the date of majority, whichever is longer. Hospitals are required to adhere to the same ten-year guidance, but following destruction, hospitals must maintain a summary of destroyed records for 25 years.[2]
Here are three key benefits of regularly purging outdated medical records and why a retention policy is necessary to ensure they are properly destroyed.
Benefit #1: Reduces Liability & Breach Risk
Maintaining medical records beyond the legally required retention period increases the risk of a data breach. Timely removal of outdated records reduces the volume of stored PHI, thereby limiting potential exposure to unauthorized access. A highly recommended best practice is to review records at least annually to ensure records are purged once they meet all applicable state and federal retention requirements.
Benefit #2: Ensures Regulatory Compliance
When a practice follows state and HIPAA guidelines for record retention, it helps promote regulatory compliance and reduces the risk of enforcement actions from government agencies.
Benefit #3 Reduces Administrative Burden
Purging outdated records clears up space, cuts costs (e.g., third-party vendors who maintain records) and ultimately lightens the administrative tasks for your staff. The National Institute of Standards and Technology (NIST) acknowledges that retaining unnecessary data burdens systems and staff. Furthermore, the agency points out, “Eliminating unneeded data streamlines processes, reduces system load, and enhances responsiveness”.[3]
Create a Record Retention and Destruction Policy
A record retention policy can provide clear guidance for proper destruction and help staff carry out the process correctly while avoiding potential HIPAA compliance issues. The HIPAA Privacy Rule and HIPAA Security Rule both outline the proper way to dispose of medical records to protect patient safety. Some examples of proper disposal methods may include, but are not limited to:
- For PHI in paper records, shredding, burning, pulping or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and or otherwise cannot be reconstructed.
- For PHI on electronic media clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding). [4]
In summary, retaining outdated medical records beyond the statutory requirement offers little practical benefit and can lead to increased risk, cost, and administrative challenges. To support your policy drafting process, below is a sample template you can customize to fit your specific needs. For further information on medical record retention, please contact KAMMCO’s Risk Management Department for assistance.
References
[1] K.A.R 100-24-2
[2] See K.A.R. 28-34-9a, K.A.R. 28-34-9a(d)(3) and Kansas Hospital Association Record Retention Guide 2022
[3] Swanson, Marianne, et al. Information Security Handbook: A Guide for Managers. NIST Special Publication 800-100, National Institute of Standards and Technology, Oct. 2006.
[4] Health and Human Services. 575-What does HIPAA require of covered entities when they dispose of PHI | HHS.gov